The Elex Installer NSIS rule detects the execution of a potentially malicious NSIS installer associated with the Elex tool, which may be used for lateral movement or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity that could lead to deeper network compromise.
YARA Rule
rule Trj_Elex_Installer_NSIS
{
meta:
author = "Centro Criptológico Nacional (CCN)"
description = "Elex Installer NSIS"
ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
strings:
$mz = { 4d 5a }
$str1 = {4e 75 6c 6c 73 6f 66 74 }
$str2 = {b7 a2 d5 dc 0c d6 a6 3a}
condition:
($mz at 0) and ($str1 at 0xA008) and ($str2 at 0x1c8700)
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system update using NSIS installer
Filter/Exclusion: process.parent_process == "task scheduler" or process.name == "wusa.exe"
Scenario: IT department deploying a legitimate application via NSIS installer
Filter/Exclusion: process.user == "IT_Administrator" or process.command_line contains "deploy"
Scenario: User installing a legitimate software package with NSIS installer
Filter/Exclusion: process.user == "Regular_User" or process.command_line contains "setup.exe"
Scenario: Automated build process using NSIS to package application binaries
Filter/Exclusion: process.parent_process == "jenkins.exe" or process.command_line contains "build"
Scenario: System maintenance task using NSIS to clean up temporary files
Filter/Exclusion: process.command_line contains "cleanup" or process.name == "cleanmgr.exe"